The General Data Protection Regulation (GDPR) became law in the UK in 2018 to safeguard against violations of our data privacy. But how can these laws help you? Here, we examine what information is protected by the GDPR rules.
You turn on your computer to a completely crashed screen. Perhaps you put your cash card in an ATM only to read ‘insufficient funds’. Suddenly your mobile receives unwanted text alerts or spam emails from companies you’ve never heard of. Your Facebook page gets hacked. All of these events can be the results of a data protection breach. It can mean that someone has violated the security of a website and you are affected. Or it can mean those responsible for your data have lost it or allowed it to be breached.
In addition to looking at the GDPR, we discuss compensation that could be available to you as a victim.
You may already be in the middle of a data breach problem and are already feeling the unwanted effects of lost money or acute emotional distress. You don’t have to sort this out alone. We can help.
Our panel of data breach solicitors could advise you in one short phone call. Simply:
- Call and speak to our data breach team on 0161 696 9685. They can help assess your case and offer on the spot guidance and advice.
- Write or email us at Legal Helpline to explain what we do
- Or use the ‘live support’ option for instant answers
Select A Section
- A Guide On Information Protected By The GDPR Law
- What Is Personal Data Under The GDPR
- What Is A Natural Person Under The GDPR?
- Identifiers And Identifiable Individuals
- Personal Data Which Relates To An Identifiable Individual
- Types Of Information Protected By The GDPR
- How Private Companies May Use Your Personal Data?
- Find Out What Information An Organisation Has About You
- How To Ask A Company To Stop Processing Your Data
- Requesting Personal Data A Company Holds About You
- Calculate Compensation For Breaches Of The Information Protected by GDPR Laws
- How Your Claim May Be Valued
- Make A Data Protection Breach Claim With A No Win No Fee Solicitor
- Talk To A Data Protection Solicitor
- FAQs On Information Protected By The GDPR
- Where To Learn More About Information Protected By The GDPR Laws
As a consumer or citizen, your data rights have never been stronger. Data protection has always been taken seriously, but with the continued pre-eminence of the internet, it was recognised that stronger enforcement was needed to tackle online crime and organisations exploiting our data for improper purposes, like spam marketing.
Hackers and cybercriminals trawl the internet looking for your information to trade or use to set up bogus credit or fake identities. The misery and suffering this can cause the unwitting victim can be long-lasting and acute. GDPR seeks to address that.
An independent non-governmental agency called the Information Commissioner’s Office (ICO) is responsible for the enforcement of GDPR and the Data Protection Act 2018 in the UK. We look at what those laws are, how a company might breach them and what you could be eligible for as a result.
In addition, we offer guidance on how a claim can be valued properly by a No Win No Fee data breach lawyer from our panel to help you. You could be owed significant compensation if information about you, protected by the GDPR, has been attacked, exploited or exposed. This article explains steps you can take to see if you are eligible.
Remember, if you have any questions, get in touch on the number at the top of this page.
Firstly, let’s look at the GDPR definition of personal data. Usually, it is personal information that relates to an identified or identifiable living individual that you could use to recognise them by, such as their:
- Date of birth
- Family relation
- National Insurance number
- Tax details
- Marital status
- IP address, passwords etc
- Cookie identifier
- Email address
Other information protected by the GDPR includes special category data such as racial and ethnic background, political opinions, religious and philosophical beliefs, trade union affiliations, genetic data, biometric information (fingerprints, retinal scan information) health-related facts and anything concerning the subject’s sex life or orientation.
You may have other specific examples dependent on the type of job you do or your individual social arrangements. Speak to our team to discuss how you might qualify for compensation after a breach that involves special category data.
GDPR understands that the collection and use of personal data is an essential tool for modern business practice. It enables companies and organisations to provide better services and communicate more effectively.
We consent to give our personal data in a multitude of different scenarios, most commonly when we send emails, shop online or use social media. GDPR has simply tightened the expectations on those who gather, store, transport and circulate our personal information to do so with a more conscious emphasis on data breach safety.
A natural person is anyone who is identifiable by one or two natural factors which allow others to confirm the identity of that individual. This could be anything from something as vague as a surname to a detailed facial recognition profile.
The reason certain data is singled out for particular attention is that GDPR recognises how a breach on this level could result in an attack upon the very fundamental definitions of what it means to be an individual. Significant risks to data like this might directly impact their freedoms and human rights, such as:
- Conscience and religion
- Freedom of expression
- Assembly and association
- The right to bodily integrity
- The right to respect for private family life
- Freedom from discrimination
Data like this needs to be treated with extra care because the collection and possession of it could imply a greater risk to the natural person or data subject. In most situations, our consent would be needed to give over facts like this about ourselves, either voluntarily on our part or as a requirement of law. Once given, we have a right to expect it to be protected.
Could you be recognised from your data? Would it be possible for someone taking an opportunistic glance at your online or offline documentation to tell enough about you to commit a crime?
Identity theft is a growing business and all a hacker needs to steal from you are a handful of details that may be commonly used or already in circulation. Piecing them together is all it takes to construct a parallel version of you that can be used to defraud banks, breach immigration laws or commit other crimes. Leaving you with the consequences.
An example: A letter was sent to Mr Smith who works at the Post Office in town. This is a very generic description and may not mean much to those who don’t know him or the post office, or the town. Examples of identifiers would be additional detail such as Mr John Smith, with blonde hair who works as the main clerk in the Post Office at 23 The High St.
A few simple details are all it takes to completely focus on one person, without necessarily needing to divulge a great deal more. Identifiers and identifiable data are crucially important to keep safe.
So, what data is safe and what data should we be anxious to keep private? Obviously, most people are happy to divulge the following in social or business settings and do so without too much concern about a data breach risk. For example:
- Your first name and surname, possibly your title (Mr, Mrs, Dr or Prof)
- A mobile telephone number
- An email address
- Social media pages
This is information that could be present on a business card and most people understand that in order to function properly in today’s modern world it is essential to distribute a self-profile of some sort.
The proliferation of social media has perhaps blurred the clear boundaries between ‘public’ and ‘private’ that used to exist so that each person now has their own personal level of comfort about what they divulge about themselves.
But we should exercise caution. Some examples of data that could identify us that we would probably not wish to be in the public realm might be:
- Friends and associates
- Family members
- Our security passwords or login details
- Full bank account details and four-digit security numbers
- Medical records
- Criminal records
- Affiliations with groups or religious organisations
- Search history online
- Family background
- Work history
Boundaries are vital. It’s important to note that these details do more than simply add colour to our profile. They are facts about us that could be used to identify who we are. In the wrong hands, it represents a virtual template for a successful act of fraud.
When GDPR came into effect, firstly as part of the EU and then later enacted by the UK, the internet had become a hazardous place for the unsuspecting user.
Companies and organisations must install software and firewalls to fend off breaches caused by hacks. 7 core principles for good data handling are promoted under GDPR. This provides companies struggling to understand their new legal duties under GDPR with an instant template for compliant conduct.
The ICO Core Principles
With this in mind, any of the information held about you from the most basic to the most intimate must be treated according to the following:
- Lawfulness, fairness, and transparency – your personal data must be collected within the boundaries of the law and in a manner that you understand and agree to.
- Purpose limitation – data should be used purely for the reasons collected, nothing extra or unrelated.
- Data minimisation – only the required amount of data should be gathered or held.
- Accuracy – the personal details kept must be accurate and regularly updated.
- Storage limitation – finite periods of time should be in place for the keeping of data. No longer than necessary.
- Integrity and confidentiality (security) – data must be kept safe and secure. Only designated people should have access to it and every involved party should be aware of their data protection responsibilities.
- Accountability – Personal responsibility should be in place at every level. A data breach problem must be promptly admitted to the ICO (within 72 hours) and the data subject as soon as feasible.
Who is involved?
The three main groups involved in the use of our data are:
- Controllers – the original recipients of the data
- Processors – an inside or external agency that handles the data on behalf of controllers
- Third parties – those interested in using the data for pre-agreed purposes
Breaches can happen at any stage in this triangle. Controllers could leak data through an undetected hack. Processors might lose or damage data through human error, inputting mistakes or bad storage. Third parties can over-step their original remit and exploit the opportunity to use our data for unrelated reasons.
The ICO defines a GDPR data breach as any accidental or deliberate loss, alteration, copying, destruction or unauthorised use of personal data that leads to the data subject suffering harm. That harm can be financial, emotional or social.
Taking Responsibility ourselves
Before we start to discuss launching a claim against a company for a data breach, it’s vital that we check the breach was indeed the fault of another party.
It’s worth taking a moment to consider how you share your personal data. Since GDPR, almost every website will ask for our permission before allowing us to visit them. Cookie preferences might be an irritant to many who simply click ‘I agree’ in order to continue to the website. But they can be a vital way for us to take back control over how our data is being shared, used and stored.
Almost all businesses now use technology that captures and analyses your personal data. This happens for all sorts of legitimate reasons, the main ones being:
- To streamline services they can offer
- Marketing intelligence
- To connect with other interested companies or organisations and improve services
- Increase profitability
- For revenue-raising opportunities
- Public safety
- To detect crime
The more a business understands about their customers, the greater they can contextualise their offerings to them and obtain new insights from it. The ability to improve day-to-day operations and make more informed decisions lies at the heart of every company that wants to be a success.
Analysing and storing large amounts of qualitative and quantitative (type and volume) information about us is big business. Most companies now devote whole departments and budgets to the collection and handling of customer data.
Companies collect four main types of data for use:
- Personal data – identifiable information as we discussed above
- Engagement data – knowledge about how people interact with the company
- Behavioural data – purchase histories, repeated views or actions, mouse movements etc
- Attitudinal data – metrics relating to customer satisfaction, purchase criteria and other aspects of desirability.
All this data is then turned into knowledge to better understand the customers’ needs. As well as this, private companies use personal data to refine their marketing strategy.
Furthermore, companies and third parties do not always need your consent to use your data. So, what circumstances may not require permission?
- Consent – if you have explicitly given permission
- Contract – entered into a contract which implies giving consent by agreeing.
- Legal obligation – required by law or government agency, for example, HMRC
- Vital interests – when accessing the data will save your life or that of another (medical records)
- Public task – there is a reason relating to public or national safety to access the data
- Legitimate interests – the uses of data collection that fall within the original remit as stated.
Requests for consent must be clear and separate from other contracts or agreements. It should be simple to understand and demonstrate to all concerned that your permission has been explicitly asked for and received.
Flagrant breaches of these uses, as well as cybercrime, could expose your data to potential exploitation. The consequences can be ruinous to the data subject.
The first that you know about a data breach could be when the company involved writes or emails you to say you may have been implicated in a serious breach. Letters like this can be terrifying. It’s traumatic to suddenly find yourself in a vulnerable position like this and only natural to think it may have been fault on your part.
Whilst we may behave in a casual manner with our own data, companies certainly cannot afford to be so lax. With their highest penalty at £17.5 million or 4% of last year’s annual turnover, the ICO has formidable powers to reprimand organizations who breach GDPR.
The ICO offers templates for raising a concern with an organisation and asking them to intervene in a data breach incident. Request your details at any time – it’s your legal right.
You also have a legal right to request the full or partial restriction or suppression of data that is personal to you at any time. This right only applies in certain circumstances, (such as objecting to direct marketing usage) but you can make your request verbally or in writing if you object to other uses.
The organisation involved has one calendar month to respond to your request. With strong ties to Article 16 (Right to Rectification) and the right to object (Article 21), companies must have the appropriate structure in place to recognise a legitimate request for data restriction and act upon it without undue delay.
The ICO again offers a plain, easy to use template on how to approach a company to find out what information they hold about you. Called ‘right to access’ you can make a subject access request to discover:
- What personal details the organisation holds about you;
- How they are using it
- Who they are sharing it with
- Where they got your data from
In addition to this, the ICO can advise about getting data corrected or deleted. Both points are useful ways to exert more control over your personal information and to take a proactive stance on the information kept and used about you.
It was recognised that it’s possible to suffer emotional damage from a data breach in its own right after a change in the law following the Court of Appeal case of Vidal-Hall v Google. Before this ruling, it had been necessary to prove that you had suffered financial damage in order to claim for psychiatric harm. Now free to claim for either or both, anyone who can demonstrate financial and emotional harm can work with a data breach solicitor to construct a claim for data protection breach compensation.
A medical assessment must uphold any claims of acute stress or anguish caused by the effects of the data breach. Depression, anxiety and PTSD are all conditions that the Judicial College Guidelines acknowledges as very real and damaging consequences to data breach problems. To this end, they suggest amounts of compensation that might be appropriate to be awarded in cases like this.
|Psychiatric Damage - Severe||Severe problems that affect many areas of daily and social life.||£54,830 to £115,730|
|Psychiatric Damage - Moderately Severe||Significant problems with daily life. But, there is a more optimistic prognosis.||£19,070 to £54,830|
|Psychiatric Damage - Moderate||Marked improvement shave been made, despite having struggles with various problems.||£5,860 to £19,070|
|Psychiatric Damage - Less Severe||The effect on daily activities and sleep will be taken into account.||£1,540 to £5,860|
|PTSD - Severe||Inability to function the same as pre-trauma due to permanent effects.||£59,860 to £100,670|
|PTSD - Moderately Severe||Recovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.||£23,150 to £59,860|
|PTSD - Moderate||Largely recovered with any persisting symptoms not being majorly disabling.||£8,180 to £23,150|
|PTSD - Less Severe||A full recovery is made within 2 years, with only minor problems persisting after this.||£3,950 to £8,180|
As well as this, you can calculate the financial impact of the data breach in your life. As a victim of fraud, you may be feeling all manner of monetary losses or inconvenience as you attempt to control the effects of someone running loose in your bank account. These are all sums it’s possible to force the negligent organisation to refund you. The breach only happened because of staff error or a failure in software security. Why should you have to pick up the costs?
Once you have decided to start a claim for compensation for a data breach, there is a process that it’s wise to follow:
- Firstly, put your complaint of a data breach in writing to the organisation concerned
- If they approached you about the breach, ask them how they plan to repair it for you
- Give them no longer than 3 months to respond to your complaint. Any longer than this could compromise the seriousness of your claim
- Ask the ICO to step in and investigate. You do not have to use the ICO and they may choose not to take the investigation up. Their website offers a ‘self-assessment’ for a personal data breach that can help. Furthermore, the ICO’s involvement can only lend gravitas to your claim. They do not pay you compensation.
- Use the time whilst an investigation may be ongoing to collect evidence of harm to you suffered from the breach
- Material damages are all the financial impacts, so bills, receipts and statements from the bank can prove a loss for these things.
- Non-material are the results of your psychiatric evaluation which a data breach lawyer can help arrange for you.
- Finally, connect with a No Win No Fee data breach lawyer to start a private case against the organisation for the data breach they permitted.
- Call or email Legal Helpline to connect to the data breach solicitors on our panel with the expertise to value your case properly.
There are no absolute certainties with compensation. But if you follow this step by step guide, you enable yourself to have the best possible chance of holding an organisation to account for the data they breached about you. Speak to our team if you have any questions about initiating a claim right now.
GDPR data protection breach claims can be complex. You can represent yourself when seeking compensation from an organisation for exposing your personal details, but it’s easier with professional legal help. At Legal Helpline we aim to connect you with a No Win No Fee data breach solicitor from our panel to move your case forward quickly and accurately.
Our advisors understand the devastating impact of a data breach in the lives of those it touches. They can calculate damages for:
- Your pain and suffering
- Financial loss
- Damage to relationships
- Loss of pleasure in life
- Inability to work properly
- Increased risk of mental health issues
Giving you the best chance at putting your finances and life back together.
Legal Helpline offers an introductory service to our panel of data breach lawyers. Our No Win No Fee advisors can offer instant legal representation at no upfront costs or any costs as the case moves forward. If a case fails, there’s nothing to pay your lawyers at all.
Your lawyers retain a small percentage of the compensation awarded at the end of a successful case. Also, because No Win No Fee data breach solicitors take a percentage, you can rest assured that they give your case their maximum attention and efforts. Allowing you to concentrate on putting all this behind you.
Legal helpline can assist you with putting all these different aspects of a compensation claim together. Call our friendly team today and after a brief initial consultation, for which there is no charge or obligation to proceed, we could connect you with a data breach No Win No Fee lawyer from our panel who could boost the potential of your data breach claim. You never asked for the hack or the staff error. Get in touch today to put it right.
There’s a six-year time limit (which shrinks to 1 year in cases that violate your human rights) to start a data breach claim, so why not:
- Call and speak to our data breach team on 0161 696 9685.
- Write or email us at Legal Helpline
- Or use the ‘live support’ option for instant answers
Thank you for reading our guide on information protected by the GDPR laws introduced in 2018. We hope that it has assisted in your decision to seek compensation for the emotional or financial harm the breach may have caused you. Below are some frequently asked questions about data breach. If you have other queries, give us a call and we can answer them for you.
When did the GDPR come into force?
These laws came into effect in 2018. The Data Protection Act 2018 was updated in the same year.
What responsibilities do companies have under the GDPR?
To prevent the accidental or deliberate loss, destruction, alteration, copying or sharing of data in a way that may impact the data subject.
Are there penalties for breaching the GDPR?
Yes. The ICO can issue penalties of up to £17.5 million or 4% of that company’s last year annual turnover or £8.7 million or 2% for lesser offences.
We have discussed a broad range of topics. With this in mind, please refer here for more details about data breach compensation cases with Legal Helpline. We can also offer guidance on data breaches by companies such as healthcare providers and further FAQ’s. We also offer advice for victim support after a data breach and what the government suggests you do to make your personal data safer.
Other Data Breach Claim Guides
Thank you for reading our guide on the information protected by the GDPR.
Guide by JJW
Edited by REB